Getting Data In

mvcombine ignores specified delimiter

Path Finder

We're indexing /var/log/secure, as one does, and I have a request to list users who've logged in in a comma-delimted list per host. I'm using the Splunk search

source=/var/log/secure "pam_unix(sshd:session): session opened" | stats values(user) as "user" by host |  mvcombine delim="," user

This works great, but for some reason the results are not honoring the delim="," and so they're coming out as space-delimited instead. A minor annoyance, but pointers for getting this to do exactly as I want would be great.

0 Karma


This guy has the right answer here:

In short, your search needs to move the delim parameter to your stats command, like this.

source=/var/log/secure "pam_unix(sshd:session): session opened" | stats delim="," values(user) as "user" by host | mvcombine user


In this case, @peter7431's answer is probably the best answer. There are times when you aren't using stats to get the multi-value field so I wanted to follow-up with why it didn't work and two ways to make it work.

Why didn't it work?

mvcombine takes fields from different events and combines them. For example:

| gentimes start=-1 
| eval foo="cat;bear;monkey;horse;dog" 
| fields foo | eval foo=split(foo,";")
|  mvexpand foo

Then if we try mvcombine and use nomv, you can see the effect of the delim argument:

| mvcombine delim="DelimsROCK" foo
|  nomv foo

Other than the stats command, how can we make it work?

Option 1: Utilize mvexpand and nomv

The most obvious solution can be seen in my above example where I use mvexpand foo and nomv foo:
source=/var/log/secure "pam_unix(sshd:session): session opened"
| stats values(user) as "user" by host
| mvexpand user
| mvcombine delim="," user
| nomv user

Note: There are two additions mvexpand and nomv

Option 2 (preferred): Use the mvjoin

source=/var/log/secure "pam_unix(sshd:session): session opened"
| stats values(user) as "user" by host 
| eval user=mvjoin(user,",")
0 Karma

Path Finder

I want a table like so:

host 1 user1,user4,user8,user13
host2 user1,user2,user9,user11,user101
host3 user2,user4,user10

What I'm getting now is:

host 1 user1 user4 user8 user13
host2 user1 user2 user9 user11 user101
host3 user2 user4 user10

0 Karma

Splunk Employee
Splunk Employee

What are you trying to do with mvcombine here? It looks like your stats command is requesting a multivalue field for user, but then you're trying to combine it. mvcombine works on multiple events, with single-value fields.

What do you want as your ultimate table?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...